11/01/2012

Judgement reinforces the link between “lawful processing”, the First Data Protection Principle and human rights/other laws.

Belated Happy New Year, but we start 2012 with a report that has a lot in it. Stick with this judgement as, in summary, it states that:

(a) the term “lawful” processing in First Principle relates to that processing which is consistent with the application of any relevant law including law of confidence (the Information Commissioner is not keen to enforce “lawful processing”); I should add that the implications of “lawful processing” have yet to be applied to other Principles (e.g. to the Seventh Principle and security considerations);

(b) the purpose of the Data Protection Directive is to implement Article 8 of the Human Rights Act; so in theory, the Information Commissioner could consider “lawfulness” in terms of Article 8; and

(c) the Information Commissioner ignores the Lindqvist decision (see references) in his detailed commentary on the application of the domestic purpose exemption to personal data on a website; the Court says the Commissioner’s advice is inconsistent with the law.

The judgement concerns the “SolictorsFromHell” website (see references). The publisher (and data controller) of that web-site claimed that “under Article 10 of the European Convention on Human Rights, you have the right to freedom of speech and expression to voice your complaint! But it must accurate and truthful. You can complain here. RIGHT NOW! NAME and SHAME your OPPRESSOR Problem Solicitor? No need to register or even leave your name. Click on the link below and add them to our list of 'Solicitors from Hell'”.

Despite the plea for accuracy, the website collected a vast number of unattributable, unchecked allegations concerning named solicitors, some of which alleged activities of a salacious or criminal nature. In other words the personal data involved sensitive personal data; this probably explains why the publisher had also lost a number of previous libel cases and was bankrupt.

Three complainants (one of which was the Law Society) took up the cudgels against the publisher in order to stop the further processing of personal data. In an uncontested action, they argued that that the Data Controller (i.e. the publisher) had breached:

i) The First Data Protection Principle because the processing was unfair and there was no Schedule 2 condition to legitimise the processing (and in the case of some sensitive personal data no Schedule 3 condition). In the event, the Court concluded “None of the conditions in Schedule 2 of the DPA is met by the Defendant in respect of the processing of this data on the Website” and that “the Defendant has processed the said data in a grossly unfair and unlawful way”;

ii) The Fourth Data Protection Principle: that personal data shall be accurate and, where necessary, kept up to date. In the event, the Court concluded “the personal and sensitive personal data about the Third Claimant processed by the Defendant and published on the Website are false and accordingly wholly inaccurate”;

iii) The Sixth Data Protection Principle: that personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998; in particular the Defendant had ignored the exercise of the right to object to the processing of personal data. The Court agreed, and granted a notice under section 10(4) of the Act.

So that’s the case and outcome; now look at what the judge said re the First Principle (at para 78; my emphasis):

The reference to ‘lawfully’ in the First Data Protection Principle applies to any form of conduct that is unlawful, including breach of confidence, libel, and harassment. As Patten J said in Murray v Express Newspapers Ltd [2007] EWHC 1908 (Ch) [200] EMLR 22 at para [72]:

“It seems to me that the reference to lawfully in Schedule 1, Part 1 must be construed by reference to the current state of the law in particular in relation to the misuse of confidential information. The draftsman of the Act has not attempted to give the word any wider or special meaning and it is therefore necessary to apply to the processor of the personal data the same obligations of confidentiality as would otherwise apply but for the Act”

The Information Commissioner (ICO) is reluctant to deal with complaints of unlawful processing because they require him to understand how any piece of legislation defines what is lawful so that lawfulness under the Data Protection Act can be assessed. The ICO claims that he cannot be an expert in every law – and that is why, in some case, he prefers to deal with such cases in terms of “fair processing” issues (where the subject is purely a data protection issue).

His guidance makes this clear; in the context of lawful processing, states that his office may not

“pursue allegations of breach of copyright (or any other law) as this would go beyond the remit of the Data Protection Act. Many areas of law are complex, and the ICO is not and cannot be expected to be expert in all of them” (my emphasis)”.

Despite these difficulties, unlawful processing has now, in these two judgements, been given a clean bill of health; data subjects clearly can ask for assessments whether or not such and such a processing is lawful (e.g. in terms of copyright, confidence and any other law) – and expect them to be considered in these terms.

Another possible consequence may be the inclusion of the Seventh Principle in cases were breaches of confidence involving personal data are the issue. This is clear from the text of the Principle which requires “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data....etc ” (my emphasis). So if a data controller failed to secure personal data of a confidential nature (e.g. loss of health personal data), then a breach of confidence can also be extended to include a Seventh Data Protection Principle breach.

Another “advance” in the judgment is the express linkage between Article 8 and Data Protection (a particular hobby-horse of mine – see references); I think it means that it is legitimate to ask the ICO for an assessment whether the processing is lawful in terms of Article 8. This is because the judge says (at para 97):

“...The purpose of the (Data Protection) Directive was to give effect in the context of data protection to the Art 8 rights of the ECHR (right to respect for private life). See Recitals (8) to (12). It is a privacy statute, although its scope is limited by a number of provisions, including the definition of data in s.1 and the application of the Act delimited in s.5”. (A big hurray from me!)

Lindqvist and blogging

The Information Commissioner’s analysis is panned I am afraid. He had argued that the “Solicitors from Hell” website fell within the “domestic purpose exemption”, and in a letter to one of the complainants, he explained this fact. The Court concluded that in the context of lawful processing:

“I do not find it possible to reconcile the views on the law expressed in the Commissioner’s letter with authoritative statements of the law. The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawful.” (para 100)

This is important as the relevant part of the Commissioner’s letter is clearly very wrong. It states (para 96):

“The inclusion of the “domestic purposes” exemption in the Data Protection Act (s.36) is intended to balance the individual’s rights to respect for his/her private life with the freedom of expression. These rights are equally important and I am strongly of the view that it is not the purpose of the DPA to regulate an individual right to freedom of expression – even where the individual uses a third party website, rather than his own facilities, to exercise this. (The s.36 exemption clearly did not anticipate individuals using third party websites to carry out their ‘personal’ processing).

The situation would clearly be impossible were the Information Commissioner to be expected to rule on what it is acceptable for one individual to say about another be that a solicitor or another individual. This is not what my office is established to do. This is particularly the case where other legal remedies are available – for example, the law of libel or incitement. ….

This analysis (and the Court’s conclusions by the way) ignores the case of Lindqvist (see references) where the European Court of Justice decided that in the context of the domestic purpose exemption:

"As regards the exception ... which concerns ... the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, correspondence and the holding of records of addresses.

That exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people”. (paras 46 and 47 of Lindqvist)

This interpretation of the exemption should be binding in the UK context (but it was missed). It states that if personal data are published on a website then this processing CANNOT fall within the domestic purpose exemption. This in turn means that any argument re Freedom of Speech is simply not relevant.

This then focuses on those infraction proceedings where the European Commission has said the Data Protection Act is a deficient implementation of the Directive. One of the myriad of grounds claimed by the Commission is that “the inclusion of “recreational purposes” in the Data Protection Act which, in the Commission’s view appeared to be broader than household activities” (see references).

In other words, the Commissioner’s interpretation of the law with respect to websites could have been based on the Government’s incorrect implementation of the Data Protection Directive (the details of which been kept secret for seven years).

The result, if true, is serious: ALL data subjects (and not just the ones who had the time and money to take this action) have been denied the protection that the Act affords if personal data about them is published on websites; additionally they may have been denied proper access to the ICO to explore the data protection issues.

This in turn increases the importance of knowing the issues surrounding the UK Government’s approach to the implementation of the Directive. It also means the ICO should revisit his policy re "lawful" processing.

Comments

You can follow this conversation by subscribing to the comment feed for this post.

I feel like I may have missed something here.

Regardless of the intended audience of the website, so, for example a personal blog or a 'mini-site' for a family dedicated to 'What we did last summer', if the internet at large is able to access it, the site and the information on it cannot be said to be for 'domestic purposes'?

This doesn't feel right to me.

I certainly agree that in the Solicitors from Hell case the site owner actively solicited and published information given to him by the public and by doing so I feel lost his ability to rely on any domestic purposes exception but if his website just dealt with his own, personal, experiences with the legal system then how is that not covered by Article 10?

From your article, the ECJ judgement seems to imply that there can be no freedom of expression on the internet simply due to the fact that it is on the internet. A rather perverse state of affairs don't you think?

In my opinion the ICO does express a view on the legal issues from time to time. On the question of single person discounts he has on his web site a comment which in my view (and the view of a number of others) falsely reflects council tax discount law. Even when sent a briefing on this law produced by a solicitor for the Audit Commission (which is not fully comprehensive) which demonstrated that the 'legal'advice on the full electoral register and council tax discounts on the ICO's own web site is wrong, the ICO could take no action, claiming, in what appears to be a self contradictory manner, that it was unable to comment on legal issues, very much along the lines set out in your article.

However, the office did comment that in their view it was 'unlikely' that the Audit Commission has got it (council tax discount law) wrong, which is also annoying because there appears to be some internal confusion within that department and even though **** (named civil servant) at the Dept of Communities wrote to them on this issue they persist in publishing on their secure web site highly damaging allegations about the significance of one of their data analytic exercises. By the way, at last somebody is taking notice of this issue albeit not in Privacy Terms: it hit the Guardian consumer pages that, courtesy of Experian Ltd's data bases, people are being graded, using what may be called 'data matching' by some but is actually a statistical process in terms of the chances they are frauds, and subjected to investigations aka 'reviews' on that basis. Thank you for reading this. Sorry if it is garbled. Very interesting Blog post on 'lawful processing'.

On the subject of the ICO and his vires to make legal judgements on matters other than the DP Act, I refer you to the comments that office made in Decision Notice FS50277167.

You will note that the ICO stated that the Audit Commission had the power to collate information to 'indicate whether the claim is being made on a fraudulent basis'.

One does not have to have read much law to realise that in respect of a mens rea offence no amount of data matching could indicate that a claim was being made on a 'fraudulent' basis.

However, a little knowledge of the Local Government Finance Act tells one that the situation in question, the one in which the Audit Commission expects investigations to take place is in fact perfectly legal and proper.

But the point relevant to your article is that in a DECISION NOTICE ICO staff clearly took a 'legal position' and drew legal conclusions and published them.

The self evidence absurdity of the grounds upon which this decision notice was based given the contents of this decision notice need no comment from me!

The ICO refused to make the AC disclose its interpretation of the match on the basis that doing this would alert criminals but it did this in a notice which ITSELF contained an interpretation of the match.

I also draw your attention to the Consent Order relevant to this notice.

Some months after I launched an F of I Tribunal, the Audit Commission, for no good reason that I have ever had made clear to me, and possibly in my view, because I made it clear that I intended to argue that the legally inaccurate nature of the AC's secret guidance most certainly affected the public interest test, decided to cough up the guidance in question.

The judge suggested that I should ask for it again and I did and they provided it and then I decided that the effort in getting the absurd ICO decision overturned was probably more effort than it was worth.

But the main point here is that the 'legal opinion' of the ICO as evidenced in its Decision Notice was so over the top that even the Audit Commission demurred.

And you will see from the consent order (now on the F of I Tribunal Web site) that what I say is true.

Therefore there are a number of pressing issues relating to this matter of the ICO taking up and propounding legal positions relating to matters outwith the DP Act.

All materials on this website are the copyright of Amberhawk Training Limited, except where otherwise stated. If you want to use the information on the blog, all we ask is that you do so in an attributable manner.